When applications are added to RSA SecurID Access using either the HTTP Federation Proxy (HFED) or trusted headers method, the identity routers connect directly to the application web servers. If SSL is enabled for these applications, the application web server must have a valid certificate signed by a certificate authority (CA) that the identity routers trust.

However, some companies use an internal or lesser-known CA to sign certificates used for their application web servers. To establish trust between the identity router and an internal CA, you can upload one or more CA certificates using the Cloud Administration Console.